Currently, I don't know of a way to enforce TLS for just the %Service_Bindings, so you will need to enforce it on all connections to the SuperServer if you want to require it. This means you'll need to configure TLS for any other types of connections to the SuperServer you use, including between the CSP gateway and the SuperServer.

Each machine which has Studio installed will also need to be configured to use TLS. I've written up how to do that here:

Usually, the problem which you can face with SSL, is, how to trust self-signed certificate. In your case looks like, you have one server for development, and everybody connects to this one server. And in this case, there are two ways to make this SSL trusted,

if you have a domain name which publicly available, from the internet. Internal servers should not be available from outside, just only one server, where you can generate certificate with Let'sEncrypt. And you can make wildcard certificate as well.

you don't have such domain name, and don't have access from outside. So, you should have own certificate server, and make by yourself. I think this way is a bit harder.

For local instances, when you need SSL only on your machine for yourself, you can use the mkcert tool and any subdomain from localtest.me (which goes to localhost) for example.

We have our own PKI deployed and configured so trust chain issues are not a problem for us.

Our problem is somewhat different.

Currently, we have (in our httpd.conf) a Redirect directive on all incoming http traffic on port 57772 to https on a different port, but this setup breaks add-ins functionality. The SOAP wizard in particular, which we need to use quite frequently, always executes in the context of %SYS namespace when SSL is enabled ( see attached screenshot).

We always need to temporarily disable SSL to use this wizard, but this is a hassle and, also, I guess that SSL usage should be seamless to the developer when configured correctly, so I suspect we might be doing something the wrong way.

Hi Jiri,we have done some recent changes to make this working without the need of configuring a redirection.Please drop me a note if you are interested or contact WRC and i will investigate more details on this for you.Kind regards,Bernd